@antv npm Attack Hits CI/CD Secrets and Tokens
Summary
Microsoft has disclosed an active supply chain attack involving compromised @antv npm packages that used malicious preinstall scripts to steal credentials from GitHub Actions and other CI/CD environments. The campaign matters because it spread through popular downstream dependencies, putting developer pipelines, cloud secrets, and software supply chains at risk.
Introduction
Microsoft has uncovered a significant npm supply chain attack affecting the @antv package ecosystem. Because these packages are widely used directly and transitively, the compromise can reach far beyond a single project and into CI/CD pipelines, cloud environments, and downstream software builds.
For IT and security teams, this is a reminder that package ecosystem compromises can quickly become credential theft and cloud access incidents.
What happened
A threat actor compromised an @antv maintainer account and published malicious package versions. The malicious code executed during npm install through a preinstall hook and targeted GitHub Actions runners on Linux.
Key technical findings
- Malicious
@antvpackages propagated through dependency chains into widely used libraries such asecharts-for-react - The payload was heavily obfuscated and designed to evade analysis
- It executed silently during package installation
- It focused on CI/CD environments, especially GitHub Actions
- It installed Bun if needed and launched a second-stage payload
Credentials and secrets targeted
Microsoft says the malware attempted to steal credentials from multiple platforms, including:
- GitHub tokens and repository secrets
- AWS credentials and Secrets Manager data
- HashiCorp Vault tokens
- npm tokens
- Kubernetes service account secrets
- 1Password CLI data
The payload also scraped GitHub Actions runner process memory to extract secrets directly, potentially bypassing normal secret masking protections.
Why this matters for administrators
This is more than a developer issue. If affected packages were installed in enterprise build systems, attackers may have gained access to:
- Source code repositories
- CI/CD secrets and pipelines
- Cloud workloads and infrastructure
- Package publishing credentials
Microsoft also notes the malware attempted privilege escalation, dual-channel exfiltration, and even SLSA provenance forgery, which undermines trust in software supply chain attestations.
What GitHub did
GitHub responded by:
- Removing 640 malicious packages
- Invalidating 61,274 npm granular access tokens with write permissions and 2FA bypass
- Publishing advisories and issuing Dependabot and npm audit alerts
Recommended next steps
Administrators should act quickly:
- Review dependency trees for direct or transitive use of affected
@antvpackages - Identify systems that installed or built these packages during the exposure window
- Rotate GitHub, npm, AWS, Vault, Kubernetes, and other potentially exposed credentials
- Audit GitHub Actions workflows, runner logs, and repository changes for suspicious activity
- Check for unauthorized repos, commits, secrets access, or package publication events
- Pin known-good package versions and strengthen dependency controls
Bottom line
The @antv compromise shows how a single npm maintainer account takeover can cascade into widespread CI/CD credential theft. Security and DevOps teams should treat any exposure as a potential pipeline and cloud credential incident, not just a package hygiene issue.
Need help with Security?
Our experts can help you implement and optimize your Microsoft solutions.
Talk to an ExpertStay updated on Microsoft technologies